ENISA (the European Network and Information Security Agency) has released the findings of a recent major study into the key Network and Information Security (NIS) framework for all 30 participating countries.

The results of the research carried out by Deloitte, on behalf of ENISA, are available as separate PDF reports for each country.

Overall, the research shows a varied approach towards NIS national strategy with no obvious pattern derived from size or NIS maturity.

In many countries a NIS strategy is not a distinct or separate entity but forms part of other leading areas of administration such as Security, Public Administration or e-Business with government and public authority’s key players in policy formation.

NIS emphasis differs widely per country with some setting out clear priorities and objectives encompassing issues ranging from Information Security knowledge and development to defense from cyber attacks and strengthening information system security.

A common factor across most of the countries is a national/governmental CERT which takes a pro-active role in NIS and internal co-operation coordinating information on security incidents and paying particular attention to matters concerning critical infrastructures. Reporting of security incidents to the relevant internal CERTs has no legal requirement in some countries whereas others operate differing levels of incident reporting depending on the specifics of the incident.

The role of National Hotlines to Safer Internet Use is well established in most countries with a great deal of co-operation and collaboration activities.

In most countries Data Protection is catered for with defined enforcement rules but the extent and emphasis is varied.

Public Private Partnerships (PPPs) exist in most countries where public and private initiatives run alongside each other.

Inter-country alliances and co-operation takes place on many levels other than only through the EU or NATO. For example the Cooperative Cyber Defence Centre of Excellence (CCD COE) is located in Estonia and is open to all NATO nations where Slovak Republic, Estonia, Germany, Italy, Latvia, Lithuania and Spain are already active members.

Each country’s level of regulatory framework is detailed showing that the majority of countries have primary legislation in place. Secondary legislation shows a patchier picture with wide variations in the number of national authorities with responsibilities or number of CERTS per country. This is also true of the number of academic organizations available per country with the UK not being represented due to the large number of qualifying institutions with an NIS focus.

The rise of viruses, worms, malware, botnets and spam appears as a common theme in all countries although the level of investigation delivered varies considerably. In some countries there is no national risk management process and many have no national centralized and consolidated reporting/repository of emerging NIS risks.

Many individual countries may have recommended good practices in eCommunications network resilience across different responsible authorities but lack centralized systems for sharing of information between authorities, telecom providers and infrastructure owners.

Enforcement of the Data Protection Directive is in place through national regulatory authorities in all cases there is not always a an obligation to inform the authority or the affected data subject of a security breach.

This major report provides a comprehensive and interesting overview of NIS in EU countries. Visit the website and download the country reports here.

http://www.enisa.europa.eu/media/press-releases/eu-agency-maps-key-online-security-actors-strategies-good-practices-in-europe

An updated country-by-country Who-is-Who directory, that accompanies the NIS report, is also available from the ENISA website.

www.enisa.europa.eu